Guidance Software 0wn3d
This morning I read stories by Brian Krebs and Joris Evers explaining how Guidance Software, maker of host-based forensics suite Encase, was compromised. Guidance CEO John Colbert claims "a person compromised one of our servers," including "names, addresses and credit card details" of 3,800 Guidance customers. Guidance claims to have learned about the intrusion on 7 December. Victim Kessler International reports the following:
"Our credit card fraud goes back to Nov. 25. If Guidance knew about it on Dec. 7, they should have immediately sent out e-mails. Why send out letters through U.S. mail while we could have blocked our credit cards?"
Guidance could face severe financial trouble. According to reporter Joris Evers:
"Guidance stored customer names and addresses and retained card value verification, or CVV, numbers, Colbert said. The CVV number is a three-digit code found on the back of most credit cards that is used to prevent fraud in online and telephone sales. Visa and MasterCard prohibit sellers from retaining CVV once a transaction has been completed."
Reporter Krebs explains the implications:
"Companies that violate those standards can be fined $500,000 per violation. Credit card issuers generally levee such fines against the bank that processes payment transactions for the merchant that commits the violations. The fines usually are passed on to the offending company."
Since Guidance's customers include "hundreds of security researchers and law enforcement agencies worldwide, including the U.S. Secret Service, the FBI and New York City police," I don't think those customers will tolerate this breach of trust.
Why did it take Guidance at least 12 days (from the first known fraudulent purchases on 25 Nov to the reported discovery on 7 Dec) to learn they were owned? I think this is an example of a company familiar with creating host-centric forensic software, but unfamiliar with sound operational security and proper policy, architecture, and monitoring to prevent or at least detect intrusions. Furthermore, who will be fired and/or fined for storing CVVs indefinitely?
"Our credit card fraud goes back to Nov. 25. If Guidance knew about it on Dec. 7, they should have immediately sent out e-mails. Why send out letters through U.S. mail while we could have blocked our credit cards?"
Guidance could face severe financial trouble. According to reporter Joris Evers:
"Guidance stored customer names and addresses and retained card value verification, or CVV, numbers, Colbert said. The CVV number is a three-digit code found on the back of most credit cards that is used to prevent fraud in online and telephone sales. Visa and MasterCard prohibit sellers from retaining CVV once a transaction has been completed."
Reporter Krebs explains the implications:
"Companies that violate those standards can be fined $500,000 per violation. Credit card issuers generally levee such fines against the bank that processes payment transactions for the merchant that commits the violations. The fines usually are passed on to the offending company."
Since Guidance's customers include "hundreds of security researchers and law enforcement agencies worldwide, including the U.S. Secret Service, the FBI and New York City police," I don't think those customers will tolerate this breach of trust.
Why did it take Guidance at least 12 days (from the first known fraudulent purchases on 25 Nov to the reported discovery on 7 Dec) to learn they were owned? I think this is an example of a company familiar with creating host-centric forensic software, but unfamiliar with sound operational security and proper policy, architecture, and monitoring to prevent or at least detect intrusions. Furthermore, who will be fired and/or fined for storing CVVs indefinitely?
Comments
The competition will have a merry Xmas indeed.
Let me see, that would be law enforcement (LE) at the local, state, and Federal level. For Federal LE - there is Secret Service, FBI, IRS, ATF, etc.
Beyond Federal LE you've got the Intelligence Community (IC). So everyone from the military intelligence analysts out in the field to people working for the three letter agencies behind vaulted doors.
A treasure trove indeed!
Also, even if some super-secret Feds use this stuff, do they pay for it with their personal CC? Sounds unlikely.
Whether there will be a CardSystems effect is a very good question. One could say that CardSystems "should have known better" because this was their core competency, and they were duly punished once their ineptitude dragged MasterCard's reputation into the mud, too. I do not see that happening with this firm. If I had to guess, I would say they will come out looking like yet another inept retailer. They're DSW Shoes, but they sell software, not high heels. My personal opinion is that anyone who stores CVV info is either reckless, arrogant, or stupid, but it's not as clear to me that the law-enforcement customers we're looking at here will drop them the way CardSystems got dropped. Switching costs for the decisionmaker(s) are higher in this situation than they were with CardSystems.
The usefulness of things besides CC numbers probably depends what sort of information was in the database and tied to each customer. Did it have a purchase history? Did it have support contract information? Did it have the number of current licenses? Information like this might be useful and would definitely be more useful than just knowing a certain agency was at one point a Guidance customer. I can think of a number of uses for information of this nature, for example using it to assess the size of a particular Guidance customer's infosec department or using the customer information to assist with social engineering.
The intel value is not in the credit card number - it is in the people's names that are users of the software. Big deal a whole bunch more DoD VISA IMPAC card numbers are compromised, those cards are probably more closely monitored than personal accounts because there is a two person check - the card holder and the certifying official. I won't go into details.
It allows someone to build a list of users and from there do further research on their organizations.
http://www.security-protocols.com/images/guidance-hacked.jpg